Method for ensuring media stream security in ip multimedia sub-system

ABSTRACT

A method for ensuring media stream security in an IP Multimedia Subsystem network is disclosed. The method includes: assigning an end-to-end media stream security key for a calling User Equipment (UE) or a called UE, by a network device with which the calling UE or the called UE is registered, respectively, and transmitting the media stream security key to a network device with which the opposite end is registered; encrypting the end-to-end media stream security key using a session key shared with the calling UE or the called UE respectively, and transmitting the encrypted end-to-end media stream security key to the calling UE or the called UE, respectively, via a session message; encrypting or decrypting a media stream, by the calling UE or the called UE, respectively, using the end-to-end media stream security key.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/885,168, filed Oct. 16, 2015, and entitled “METHOD FOR ENSURING MEDIASTREAM SECURITY IN IP MULTIMEDIA SUB-SYSTEM,” which issued as U.S. Pat.No. 9,537,837 on Jan. 3, 2017, which is a continuation of U.S. patentapplication Ser. No. 14/050,768, filed Oct. 10, 2013, and entitled“METHOD FOR ENSURING MEDIA STREAM SECURITY IN IP MULTIMEDIA SUB-SYSTEM,”which issued as U.S. Pat. No. 9,167,422 on Oct. 20, 2015, which is acontinuation of U.S. patent application Ser. No. 11/774,271, filed Jul.6, 2007, and entitled “METHOD FOR ENSURING MEDIA STREAM SECURITY IN IPMULTIMEDIA SUB-SYSTEM,” which issued as U.S. Pat. No. 8,582,766 on Nov.12, 2013, which is a continuation of PCT/CN2005/002429, filed Dec. 31,2005, and entitled “A METHOD FOR ENSURING THE SAFETY OF THE MEDIA-FLOWIN IP MULTIMEDIA SUB-SYSTEM,” and which published as WO/2006/072212 onJul. 13, 2006, and which claims priority to CN 200510000097.7, filedJan. 7, 2005. The entire contents of each of the foregoing applicationsare expressly incorporated herein by reference in their entireties.

FIELD OF THE INVENTION

The present invention relates to the media stream security technologiesin communication networks, and in particular, to a method for ensuringmedia stream security in an IP Multimedia Subsystem (IMS) network.

BACKGROUND OF THE INVENTION

As a core session control layer in the fixed and mobile networks, theIMS has become a main topic in the art. Many specifications related tothe IMS have been defined in the Third Generation Partnership Project(3GPP) and Telecommunications and Internet Converged Services andProtocols for Advanced Networking (TISPAN) standards, which concernsnetwork architecture, interface, protocol, etc. Particularly, securityis an important consideration in the 3GPP and TISPAN. In the currentspecifications, the IMS network is split into an access domain and anetwork domain in view of the security, and security specifications aredefined for the access domain and the network domain respectively. FIG.1 shows a security model for the IMS network, in which interfacesrequiring the security are defined. Although having been described indetail in the specifications, these interfaces are defined only in termsof the control plane of the IMS network, i.e. how to ensure the securityof the session protocols in the IMS network, instead of how to ensurethe security of the media plane in the IMS network. In fact, thesecurity of the media plane is also very important. Otherwise, mediastreams may be tampered or eavesdropped during the conversation of thesubscribers, which results in degradation of the quality of service forthe subscribers or leakage of confidential information.

Usually, an approach for protecting the media streams in the IMS networkcomprises: a Real-time Transfer Protocol (RTP) proxy is introduced intothe architecture of the IMS network; keys are shared between UserEquipment (UE) and the RTP proxy through the Generic BootstrappingArchitecture (GBA, which is also a generic authentication and keyassignment model defined in the 3GPP specifications); confidentialityand integrity of the media streams are secured between the UE and theRTP proxy through the shared keys, achieving the security of the mediastreams in the access domain; and the security of the media streams inthe network domain may be achieved in two ways: the first one is that noprotection is provided between the RTP proxies, if the network istrustable or secure in the network domain; and the other one is that themedia streams between the RTP proxies are protected through theIP_Security (IPSec) Encapsulating Security Payload (ESP) protocol underthe security mechanism in the 3GPP IMS network domain.

FIG. 2 shows an architecture of the GBA model and FIG. 3 illustrates anapplication of the GBA model to key assignment for the media streams. Inthe application, the Session Initiation Protocol (SIP) server (such asProxy Call Session Control Function (P-CSCF) defined in the 3GPP IMSnetwork) and the RTP proxy are taken as a whole, i.e. a NetworkApplication Function (NAF) entity in the GBA. The SIP server acquiresfrom the Bootstrapping Server Function (BSF) a key shared between theNAF and an SIP client The key shared between the NAF and an SIP clientis stored in the BSF. The SIP server then sends the key to the RTP proxyvia Is interface. Thus, the key for media stream security is sharedbetween the. SIP client and the RTP proxy.

In the GBA model, both the NAF and the BSF are logical functionentities. All Application Servers (ASs) and even the Call SessionControl Function (CSCF) entity may be used as an NAF to acquire a keyshared with the UE in the GBA processes. Likewise, the BSF may beimplemented by any device, such as a CSCF entity, a Home SubscriberServer (HSS), an Authentication, Authorization and Accounting (AAA)server, and a web portal, etc.

SUMMARY OF THE INVENTION

Embodiments of the invention provide a method for enhancing end-to-endmedia stream security in an IMS network, thereby solving the problemthat the security and the quality of service for an end-to-end mediastream are impaired as a result of many times of encryption anddecryption required for the media stream.

The embodiments of the invention provide the following technicalsolutions.

A method for ensuring media stream security in an IP MultimediaSubsystem network, including the following steps:

assigning, by a first network device of a first User Equipment; UE, anend-to-end media stream security key for the first UE, and transmittingthe end-to-end media stream security key to a second network device of asecond UE;

encrypting the end-to-end media stream security key using a firstsession key shared with the first UE, and transmitting the encryptedend-to-end media stream security key to the first UE via a first sessionmessage; encrypting the end-to-end media stream security key using asecond session key shared with the second UE, and transmitting theencrypted end-to-end media stream security key to the second UE via asecond session message;

encrypting or decrypting a media stream, by at least one of the first UEor the second UE, using the end-to-end media stream security key.

Optionally,

the first UE is a calling UE, the second UE is a called UE; or the firstUE is a called UE, the second UE is a calling UE.

The first network device may be a Service-Call Session Control Function,S-CSCF, of the first UE, the end-to-end media stream security key istransmitted by the first network device to a Proxy-Call Session ControlFunction, P-CSCF, of the first UE, and is encrypted and transmitted tothe first UE by the P-CSCF of the first UE, the second network devicemay be an S-CSCF of the second UE, the end-to-end media stream securitykey is transmitted by the second network device to a P-CSCF of thesecond UE, and is encrypted and transmitted to the second UE by theP-CSCF of the second UE.

Alternatively, the first network device may be an Application Sewer, AS,of the first UE, the end-to-end media stream security key is encryptedand transmitted to the first UE by the AS of the first UE, the secondnetwork device may be an AS of the second UE, the end-to-end mediastream security key is encrypted and transmitted to the second UE by theAS of the second UE.

The method may also include: specifying a media stream securitycapability between the first UE and the second UE by the first networkdevice or the second network device according to security capabilitiesprovided by the first UE and the second UE.

The method may also include: transmitting the assigned end-to-end mediastream security key by the first network device or the second networkdevice to a listening device listening to the encrypted media stream bydecrypting the media stream using the end-to-end media stream securitykey.

The media stream security key is transmitted between the first networkdevice and the second network device, in plain text in a session messagein a network domain, or through a security mechanism in the IMS networkdomain.

The end-to-end media stream security key may be a cipher key or anintegrity key.

Another embodiment of the invention provides a system for ensuring mediastream security in an IP Multimedia Subsystem network, including: afirst network device of a first User Equipment, hereinafter referred toas UE, for assigning an end-to-end media stream security key for thefirst UE, transmitting the media stream security key to a second networkdevice of a second UE, encrypting the end-to-end media stream securitykey using a first session key shared with the first UE, and transmittingthe encrypted end-to-end media stream security key to the first UE via afirst session message; and a second network device of the second UE, forencrypting the end-to-end media stream security key using a secondsession key shared with the second UE, and transmitting the encryptedend-to-end media stream security key to the second UE via a secondsession message.

Yet another embodiment of the invention provides a system for ensuringmedia stream security in an IP Multimedia Subsystem network, including:a first network device of a first User Equipment, hereinafter referredto as UE, for assigning an end-to-end media stream security key for thefirst UE, and transmitting the media stream security key to a secondnetwork device of a second UE; a third network device of the first UE,for encrypting the end-to-end media stream security key using a firstsession key shared with the first UE, and transmitting the encryptedend-to-end media stream security key to the first UE via a first sessionmessage; and a fourth network device of the second UE, for encryptingthe end-to-end media stream security key using a second session keyshared with the second UE, and transmitting the encrypted end-to-endmedia stream security key to the second UE via a second session message.

In the method according to an embodiment of the invention, the mediastream security key is assigned for the calling UE and the called UE byan application server acting as a network device, or a network devicesuch as a CSCF, etc. The media stream needs to be encrypted or decryptedonly once by the calling UE or called UE during the transmission of themedia stream. Therefore, there is no substantial affect on theperformance of the IMS network device, and the quality of service forthe media stream can be ensured easily. In terms of security, a keybecomes invalid upon completion of the session because the key isassigned dynamically during each session. In this way, a very highsecurity may be ensured.

Because the security capabilities of the calling UE and the called UEmay be negotiated in an interactive way while negotiating the mediastream security key, an end-to-end security association may beestablished dynamically between the calling UE and the called UE.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram illustrating an IMS network security modelin the related art;

FIG. 2 is a schematic diagram illustrating a GBA model in the relatedart;

FIG. 3 illustrates an application of the GBA in media stream security;

FIGS. 4 and 5 are flow charts illustrating embodiments of the invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

In FIG. 1, the Call Session Control Function (CSCF) entities defined inthe IMS network are operable to implement functions such as controlling,routing, etc. during call and session. Proxy-Call Session ControlFunction (P-CSCF), Service-Call Session Control Function (S-CSCF) andInterrogating-Call Session Control Function (I-CSCF) are distinguishedfrom one another for the purpose of implementing different functions.Particularly, the Proxy-Call Session Control Function (P-CSCF) is usedfor access of a User Equipment (UE), all UEs access the network via theP-CSCF; the Service-Call Session Control Function (S-CSCF) provides thecore functions, such as session controlling, routing, etc.; and theInterrogating-Call Session Control Function (I-CSCF) is used forselection of S-CSCF and intercommunications among different operators orthe networks at different regions, as well as network shielding functionand the like. For example, the I-CSCF may be used as the only egress fordifferent operators. The Application Server (AS) in the IMS networkprovides services for users, for example, various applications such ascall waiting, conference, instant message, etc. Different applicationsmay be located in different ASs. The S-CSCF entity is responsible forforwarding a session request from a user to different ASs, depending ondifferent services info.

In an embodiment of the invention, to reduce the times of encryption anddecryption on the media stream during transmission, a securityassociation is established directly between the Session InitiationProtocol (SIP) client, i.e. the calling UE, and the called UE, such thatthe media stream is protected through a direct encryption and decryptionbetween the calling UE and the called UE, thus achieving the end-to-endmedia stream security.

An end-to-end media stream security key may be negotiated in two ways.The first one is that the end-to-end media stream security key isassigned by a CSCF entity. The second one is that the end-to-end mediastream security key is assigned by an Application Server (AS). Theend-to-end media stream security key is a Cipher Key (CK) or anIntegrity Key (IK).

Referring to FIG. 4, the end-to-end media stream security is implementedin the first way as follows.

Block 1: during the process of establishing a session, an S-CSCF amongthe CSCF entities with which the calling UE or the called UE isregistered determines whether the media streams for this session need tobe protected, according to subscription information of the UE, or aninstruction from the AS regarding protection of the media stream in asession message. If protection is necessary, the S-CSCF assigns theend-to-end media security key according to the protection way specifiedin the subscription information. If the specified protection way is byencryption, an end-to-end Cipher Key (CK) is assigned. If the specifiedprotection way is by integrity protection, an end-to-end Integrity Key(IK) is assigned.

Block 2: after assigning the end-to-end media stream security key, theS-CSCF of the calling UE or the called UE transmits the end-to-end mediastream security key to an S-CSCF of the opposite UE in a session messageof the network domain. The S-CSCF of the calling UE transmits theend-to-end media stream security key to the P-CSCF of the calling UE byusing a session message, and the S-CSCF of the called UE transmits theend-to-end media stream security key to the P-CSCF of the called UE byusing a session message.

If it is assumed to be trustable or secure in the network domain, theend-to-end media stream security key may be transmitted in plain text(i.e. the key is not protected by encryption at all). Practically, theend-to-end media stream security key may be transmitted through thesecurity mechanism in the IMS network domain.

Block 3: the P-CSCF to which the calling UE or the called UE accessesencrypts the end-to-end media stream security key using a cipher keyshared between the calling UE or called UE and the P-CSCF, the cipherkey is obtained by the UE through negotiation during the process ofregistering Authentication and Key Agreement (AKA).

Block 4: the P-CSCF to which the calling UE access transmits theencrypted media stream security key to the calling UE in cipher text byusing a session message, and the P-CSCF to which the called UE accesstransmits the encrypted media stream security key to the called UE incipher text by using a session message, so as to ensure that theend-to-end media stream security key is transmitted securely in theinsecure access-side network. Either of the calling UE or called UEobtains the end-to-end media stream security key between the calling UEand called UE by decrypting the encrypted media stream security keyusing the session key (i.e., the cipher key) shared with the P-CSCF.

Block 5: media stream messages are transmitted between the calling UEand the called UE after being encrypted or integrity-protected using theend-to-end media stream security key according to the SecurityAssociation (SA) negotiated during the process of establishing thesession, thus achieving the end-to-end media stream security.

If only the media stream from the calling UE to the called UE needs tobe protected, the calling UE encrypts or integrity-protects the mediastream using the end-to-end media stream security key before sending themedia stream to the called UE, while the called UE authenticates anddecrypts the received media stream using the end-to-end media streamsecurity key, and does not encrypt the media stream to be sent. If onlythe media stream from the called UE to the calling UE needs to beprotected, the process is similar as the above. If both the mediastreams sent by the calling UE and the called UE need to be protected,both of the two parties encrypt or integrity-protect the media streamsusing the end-to-end media stream security key before sending the mediastreams, and decrypt the received media streams using the end-to-endmedia stream security key.

Referring to FIG. 5, the end-to-end media stream security is implementedin the second way as follows.

Before initiating a session, each of the calling UE and called UEnegotiates a security key to be shared between each of the calling UEand the called UE and Network Application Function (NAF) during theprocess of registering and authenticating AKA, in combination with theGBA procedures. When initiating or responding to a session requestsubsequently, the calling UE or the called UE carries a Bootstrappingprocedure Transaction identifier (B-TID) in a session message or duringinteraction with the NAF (alternatively, an application layer securitykey may be negotiated between the UE and NAF in another way, thedetailed description of which is not limited to the above).

Block 10: during the process of establishing a session, an ApplicationServer (AS) of the calling UE or the called UE determines whether themedia streams for this session need to be protected, according to arequirement of the service or the subscription information of the user.If the protection is needed, the AS assigns the end-to-end mediasecurity key according to the protection way specified in thesubscription information or the requirement of the service. If thespecified protection way is by encryption, the end-to-end Cipher Key(CK) is assigned. If the specified protection way is by integrityprotection, the end-to-end Integrity Key (IK) is assigned.

Block 11: the AS assigning the end-to-end media stream security keyencrypts the end-to-end media stream security key through the securitymechanism in the network domain and transmits the encrypted media streamsecurity key by using a session message to an AS of the opposite UE.

If the network domain is assumed to be trustable, the key may betransmitted in plain text in the network domain.

Block 12: the AS of the calling UE requests an application layersecurity key shared between the NAF and the calling UE from theBootstrapping Server Function (BSF) according to the Bootstrappingprocedure Transaction identifier (B-TID) carried in the session messagefrom the calling UE, the AS of the called UE requests an applicationlayer security key shared between the NAF and the called UE from theBootstrapping Server Function (BSF) according to the Bootstrappingprocedure Transaction identifier (B-TID) carried in the session messagefrom the called UE.

The application layer security key may also be stored in a HomeSubscriber Server (HSS). In this case, the AS of either of the callingUE or the called UE acquires the key from the HSS according to the B-TIDcarried in the session message from the UE (practically, the applicationlayer key may be assigned between the AS and the UE in other ways).

Block 13: the AS of the calling UE or the called UE encrypts mediastream security key using the application layer security key shared withthe UE, respectively, and transmits the encrypted media stream securitykey to the calling UE or the called UE via a session message,respectively.

Block 14: the calling UE or called UE obtains the end-to-end mediastream security key between the calling UE and called UE by decryptingthe encrypted media stream security key using the application layer keyshared with the AS.

Block 15: media stream messages are transmitted between the calling UEand the called UE after being encrypted or integrity-protected using theend-to-end media stream security key according to the SecurityAssociation (SA) negotiated during the process of establishing thesession, thus achieving the end-to-end media stream security.

If only the media stream from the calling UE to the called UE needs tobe protected, the calling UE encrypts or integrity-protects the mediastream using the end-to-end media stream security key before sending themedia stream to the called UE, while the called UE authenticates anddecrypts the received media stream using the end-to-end media streamsecurity key and does not encrypt the media stream to be sent. If onlythe media stream from the called UE to the calling UE needs to beprotected, the process is similar as the above. If both the mediastreams sent by the calling UE and the called UE need to be protected,both of the two parties encrypt or integrity-protect the media streamsusing the end-to-end media stream security key before sending the mediastreams, and decrypt the received media stream using the end-to-endmedia stream security key.

In block 12, the application layer security key shared between anApplication Server (AS) and a User Equipment (UE) may be acquired inanother way in related art.

For the format of a media stream message after being encrypted orintegrity-protected, reference may be made to the definition of theformat of RTP message in the Draft “Security RTP” of the IETF. Such amessage format is substantially the similar as the format of RTPmessage, and defines information such as message to be encrypted,message to be authenticated, and locations of the encryption andauthentication information in message, etc.

While negotiating the end-to-end media stream security key during theprocess of establishing a session, the security capabilities of thecalling UE and the called UE may be negotiated in an interactive way,for example, information such as the supported algorithm for encryptionor integrity protection, etc. The procedure and mechanism are similar tothose described in the RFC 3329 Security Mechanism Agreement for theSession Initiation Protocol (SIP). While determining whether the mediastream needs to be protected and assigning a security key, the AS orS-CSCF may specify the media stream capability between the calling UEand the called UE according to the security capabilities submitted bythe calling UE and the called UE, thus establishing an end-to-endsecurity association between the calling UE and the called UE.

The media stream is encrypted on an end-to-end basis duringtransmission. However, the end-to-end media stream security key isassigned by the AS or S-CSCF, thus, when the encrypted media streamtransmitted needs to be listened to, the AS or S-CSCF may route thesession, passing through a listening device, to the called UE whileassigning the end-to-end media stream security key, so that the mediastream of user is relayed to the listening device. The AS or S-CSCF sendthe Cipher Key (CK) to the listening device during the process ofexchanging session messages with the listening device, so that thelistening device may listen to the encrypted media stream by decryptingthe media stream.

It is apparent to those skilled in the art that various modificationsand variations may be made to the invention without departing from thespirit and scope of the invention. Therefore, such modifications andvariations are intended to be encompassed in the invention provided thatthey fall into the scope of the invention as defined by the appendedclaims and their equivalents.

What is claimed:
 1. A computer system, comprising: one or moreprocessors; and one or more computer-readable media having storedthereon computer-executable instructions that are executable by the oneor more processors to configure the computer system as a first networkdevice serving first User Equipment (UE) and for ensuring media streamsecurity between the first UE and second UE within a multimedia network,the computer-executable instructions including instructions that thatare executable to configure the computer system to perform at least thefollowing: assign an end-to-end media stream security key for the firstUE; transmit the end-to-end media stream security key to a secondnetwork device serving second UE; encrypt the end-to-end media streamsecurity key using a first session key shared with the first UEresulting in a first encrypted end-to-end media stream security key; andtransmit the first encrypted end-to-end media stream security key to thefirst UE via a first session message, wherein the first UE encrypts ordecrypts a media stream using the end-to-end media stream security key,and wherein the second UE also encrypts or decrypts the media streamusing the end-to-end media stream security key, the end-to-end mediastream security key having been received by the second UE based on thesecond network device having encrypted the end-to-end media streamsecurity key using a second session key shared between the secondnetwork device and the second UE, resulting in a second encryptedend-to-end media stream security key, and the second network devicehaving transmitted the second encrypted end-to-end media stream securitykey to the second UE via a second session message.
 2. The computersystem of claim 1, wherein the first network device and the secondnetwork device comprise one or more application servers.
 3. The computersystem of claim 1, wherein the first network device and the secondnetwork device comprise one or more proxy devices.
 4. The computersystem of claim 3, wherein the one or more proxy devices are selectedfrom the group comprising: one or more Proxy-Call Session ControlFunction entities and one or more Real-time Transfer Protocol proxyentities.
 5. The computer system of claim 1, wherein the first networkdevice comprises a first Service-Call Session Control Function (S-CSCF)entity serving the first UE and a first Proxy-Call Session ControlFunction (P-CSCF) entity serving the first UE, and wherein the secondnetwork device comprises a second S-CSCF entity serving the second UE,and a second P-CSCF entity serving the second UE.
 6. The computer systemof claim 1, the computer-executable instructions also includinginstructions that that are executable to configure the computer systemto determine that the media stream is to be protected by way ofencryption, and wherein assigning the end-to-end media stream securitykey comprises assigning an end-to-end Cipher Key.
 7. The computer systemof claim 1, the computer-executable instructions also includinginstructions that that are executable to configure the computer systemto determine that the media stream is to be protected by way ofintegrity protection, and wherein assigning the end-to-end media streamsecurity key comprises assigning an end-to-end Integrity Key.
 8. Thecomputer system of claim 1, wherein the multimedia network comprises anIP Multimedia Subsystems network.
 9. The computer system of claim 1,wherein the multimedia network comprises a Voice over IP network.
 10. Acomputer system, comprising: one or more processors; and one or more oneor more computer-readable media having stored thereoncomputer-executable instructions that are executable by the one or moreprocessors to configure the computer system as a second network deviceserving second User Equipment (UE) and for ensuring media streamsecurity between first UE that is associated with a first network deviceand the second UE within a multimedia network, the computer-executableinstructions including instructions that that are executable toconfigure the computer system to perform at least the following: receivean end-to-end media stream security key from the first network deviceserving the first UE, the end-to-end media stream security key havingbeen assigned for the first UE by the first network device, having beenencrypted by the first network device using a first session key sharedwith the first UE, and having been sent by the first network device tothe first UE in a first encrypted form via a first session message;encrypt the end-to-end media stream security key using a second sessionkey shared with the second UE; and transmit the end-to-end media streamsecurity key to the second UE in a second encrypted form via a secondsession message, wherein the second UE encrypts or decrypts a mediastream using the end-to-end media stream security key, and wherein thefirst UE also encrypts or decrypts the media stream using the end-to-endmedia stream security key.
 11. The computer system of claim 10, whereinthe first network device and the second network device comprise one ormore application servers.
 12. The computer system of claim 10, whereinthe first network device and the second network device comprise one ormore proxy devices.
 13. The computer system of claim 12, wherein the oneor more proxy devices are selected from the group comprising: one ormore Proxy-Call Session Control Function entities and one or moreReal-time Transfer Protocol proxy entities.
 14. The computer system ofclaim 10, wherein the first network device comprises a firstService-Call Session Control Function (S-CSCF) entity serving the firstUE and a first Proxy-Call Session Control Function (P-CSCF) entityserving the first UE, and wherein the second network device comprises asecond S-CSCF entity serving the second UE, and a second P-CSCF entityserving the second UE.
 15. The computer system of claim 10, wherein themultimedia network comprises an IP Multimedia Subsystems network. 16.The computer system of claim 10, wherein the multimedia networkcomprises a Voice over IP network.
 17. The computer system of claim 10,wherein the multimedia network comprises one or more IP MultimediaSubsystems components and one or more Voice over IP components.
 18. Thecomputer system of claim 10, wherein the first network device is alsoconfigured to determine that the end-to-end media stream security keyfor the first UE based on an instruction from an Application Serverentity in the multimedia network.
 19. The computer system of claim 10,wherein the first UE is a calling UE, and the second UE is a called UE.20. A method, implemented at a computer system that includes one or moreprocessors and that is configured as as a first network device servingfirst User Equipment (UE), for ensuring media stream security betweenthe first UE and second UE within a multimedia network, the methodcomprising: assigning an end-to-end media stream security key for thefirst UE; transmitting the end-to-end media stream security key to asecond network device serving second UE; encrypting the end-to-end mediastream security key using a first session key shared with the first UEresulting in a first encrypted end-to-end media stream security key; andtransmitting the first encrypted end-to-end media stream security key tothe first UE via a first session message, wherein the first UE encryptsor decrypts a media stream using the end-to-end media stream securitykey, and wherein the second UE also encrypts or decrypts the mediastream using the end-to-end media stream security key, the end-to-endmedia stream security key having been received by the second UE based onthe second network device having encrypted the end-to-end media streamsecurity key using a second session key shared between the secondnetwork device and the second UE, resulting in a second encryptedend-to-end media stream security key, and the second network devicehaving transmitted the second encrypted end-to-end media stream securitykey to the second UE via a second session message.